Attestation format

SALT follows the in-toto Attestation Framework (IAF). The IAF provides a specification for generating verifiable claims about any aspect of how a piece of software is produced. Consumers or users of software can then validate the origins of the software, and establish trust in its supply chain, using in-toto attestations.

Attestations in the IAF are serialized as JSON.

Structure of an Attestation

The core of the IAF is the specification for in-toto attestation layers:

  • Envelope: Handles authentication and serialization.

  • Statement: Binds the attestation to a particular subject and unambiguously identifies the types of the predicate.

  • Predicate: Contains arbitrary metadata about a subject artifact, with a type-specific schema.

  • Bundle: Defines a method of grouping multiple attestations together.

In short,

  • Envelope is a signed attestation, conveying a Statement as payload (encoded in base64) and a Signature.

    Envelopes typically have one signature but may have multiple.

    A media type of application/vnd.in-toto.<predicate>+dss is assigned for envelopes.

  • A Statement binds a Subject and a Predicate, with a predicateType field that unambiguously identifies the type of the predicate via a type URI.

  • Subject is the set of software artifacts that the attestation applies to. Each software artifact is represented by ResourceDescriptor.

  • Predicate is the innermost layer of the attestation, containing arbitrary data about the Statement’s Subject.

The framework specifies the format and semantics for some common fields.

Available Predicate Types

The following attestation predicates are supported:

In addition, Xygeni adds the following predicates:

Last updated